Countermeasures

We have presented some of the techniques commonly used by Web hackers to profile a Web application and figure out what's running in the black boxes that host it. Technology identification plays an important role in Web hacking, because it allows hackers to choose their weapons appropriately when attempting to compromise a Web application.

There may not be an easy way to stop hackers from gathering information about technologies being used in a Web application. However, two rules of thumb should be followed, both of which are based on the principle of least privilege.

Rule 1: Minimize Information Leaked from the HTTP Header

Most Web servers are configured so that they do not return more information than needed in the HTTP header. Also, application servers being used as plug-ins with the front-end Web server must not be reported in the HTTP header.

Rule 2: Prevent Error Information from Being Sent to the Browser

When a Web application goes from the development stage to production, proper error handling routines must be put in place to handle exceptions and errors generated during application use. Detailed error messages should be captured on an internal log file on the Web server. Only a brief error message should be returned to the browser when an application error is generated. Again, most Web servers and application servers are configured in this manner.

Many clients have told us that they were quite content with having changed the server identification string in the HTTP header and file extensions to confuse hackers and spare them from an attack. However, such security-by-obscurity isn't a lasting solution. At best, changing the server identification string stops script kiddies and automated Web vulnerability scanners such as Whisker. It doesn't stop a skilled Web hacker.